> If I may make a quick suggestion - as for tightening things up a bit for
> security purposes. It's always a good idea to use proven methods rather
> than make things up as we go. I have found that majordomo has done a pretty
> good job in the security arena. Of course there are always issues but
> overall it's not bad. Maybe you could borrow some of their strategies that
> seem to work pretty good. For example, their permission scheme is pretty
> tight. Not bullet proof but well done.
>
> My $0.02 for what it's worth.
Good suggestion, I'll take a look at it. In the mean time, I've attached
a version of webnocol.cgi that runs with -Tw. For those that prefer it,
I'll put the diff at the end of this message--it's not long. All the
warnings I got were for uninitialized variables, simply because we don't
pre-declare the form variables and the user doesn't fill them all in. So
I hid them. To get taint mode to run I had to untaint two variables. I
did not turn on strict mode, simply because I don't have time right now
to go through the code to add a bazillion 'my's. Turning on warnings for
genweb.pl also generated warnings about uninitialized variables, all of
which seemed to be for entires that don't exist in ~nocol/etc/updates.
There are also a couple unused variables in the localtime call. I didn't
look too hard at it for time reasons though.
--Rick
*** webnocol.cgi Tue Mar 27 13:15:56 2001
--- webnocol.cgi.orig Tue Mar 27 13:11:40 2001
***************
*** 1,4 ****
! #!/usr/local/bin/perl -Tw
#
# $Header: /home/vikas/src/nocol/webnocol/RCS/webnocol.cgi,v 2.9
2000/05/03 21:18:38 vikas Exp $
#
--- 1,4 ----
! #!/usr/local/bin/perl
#
# $Header: /home/vikas/src/nocol/webnocol/RCS/webnocol.cgi,v 2.9
2000/05/03 21:18:38 vikas Exp $
#
***************
*** 80,90 ****
####
#############################################################################
- # A few things to enhance security.
- $SIG{__WARN__} = \&dowarn;
- $ENV{PATH} = '/usr/sbin:/usr/bin'; # You may want to change this
- $ENV{IFS} = "" if $ENV{IFS} ne "";
-
## CUSTOMIZE THE LOCATION OF THIS CGI-SCRIPT AS SEEN BY httpd. This
MUST
## run on the same host as NOCOL since this script needs to access the
## nocol data files.
--- 80,85 ----
***************
*** 713,725 ****
print "debug ($subcmd) Trying $cmd $siteaddr<br>" if $ldebug;
if ($cmd) {
$siteaddr =~ tr/[a-zA-Z0-9_.\-]//cd; # strip unwanted characters
- if ($siteaddr =~ /^([\/-\@\w.]+)$/) {
- $siteaddr = $1;
- } else {
- print "Command $siteaddr error <p>\n";
- &print_footer();
- return;
- }
if (!$siteaddr || $siteaddr eq '-') {
$cmd =~ s/DEVICE/$sitename/ ; # replace keyword with name
} else {
--- 708,713 ----
***************
*** 779,793 ****
return if ($sitename eq "" || $RRD_DBDIR eq "");
$rrddir = "$RRD_DBDIR/" . substr($sitename, 0, 1) . "/$sitename";
- # For security, we make sure there are not periods in sitename. Note
that
- # if you have sites with periods in them, you won't be able to see
their
- # graphs.
- if ($rrddir =~ /^([^.]+)$/) {
- $rrddir = $1;
- } else {
- print "<h4>RRD path $rrddir not valid</h4>\n";
- return;
- }
print "<center><H3>$sitename : $siteaddr</H3>\n";
print " <hr width=\"50\%\" align=center>\n</center>\n";
--- 767,772 ----
***************
*** 900,910 ****
&print_footer();
- }
- # A cheat to hide some warning messages.
- sub dowarn {
- $_ = shift;
- warn ($_) if ! /^Use of uninitialized value/;
- return;
}
--- 879,883 ----